fix(app): redact tokens in miner dashboard change text

[galuis116]

Closes #448.

sanitizePublicText (the public-safety boundary for miner-dashboard change labels and rerun reasons) stripped local paths and sensitive words but had no rule for secret tokens (ghp_/github_pat_/gts_/glpat-/sk-), unlike the sibling sanitizers in agent-action-explanation-card.ts, weekly-value-report.ts, and control-panel-roles.ts. Its own test already declared those tokens forbidden, but the assertion only passed because no fixture injected one.

Changes

• Add a FORBIDDEN_TOKEN redaction step to sanitizePublicText, matching the established pattern.
• Add a ghp_… token to the rerunWhen fixture so the existing public-safety assertion actually exercises token redaction.

Verification

• npx vitest run test/unit/miner-dashboard-recommendations.test.ts → 10/10 pass.

[gittensory]

Note

Gittensory Gate skipped

PR closed before full evaluation. No late first comment was created.

Signal	Result	Evidence	Action
Gate result	⚠️ Skipped	#449 is no longer open.	No action.

---

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

[JSONbored]

Requesting changes. CI is green, but the token redaction regex misses a common hyphenated sk- token shape, so the changed sanitizer is not safe enough for the behavior this PR claims. No merge action taken.

Retracting this review: the regex character class already allows hyphenated sk- token bodies, so the requested-change note was incorrect.

[JSONbored]

Reviewed again after correcting my earlier regex read. The added token sanitizer covers the tested GitHub token path and the hyphenated sk- shape; the dashboard text sanitizer still runs private-language redaction after token redaction. CI is green. Approved. No merge action taken.